b'Follow-up Audit of Information Security Management of FDIC Contractors\n\n(Audit Report No. 03-043, September 26, 2003)\n\n\nSummary\n\nThe Federal Deposit Insurance Corporation (FDIC) Office of Inspector General has completed a\nfollow-up audit of information security management of contractors with access to the\nCorporation\xe2\x80\x99s sensitive information resources. The objective of this audit was to determine\nwhether the FDIC had made adequate progress in addressing the recommendations in Audit\nReport No. 02-035, Information Security Management of FDIC Contractors, dated\nSeptember 30, 2002. Our audit focused on information security in acquisition planning, contract\nsecurity provisions, and contractor oversight. To accomplish our objectives, we reviewed new\npolicies and procedures issued by the FDIC to address recommendations in our audit Report\nNo. 02-035 and the FDIC\xe2\x80\x99s actions to implement the new policies and procedures. Furthermore,\nwe performed limited testing at five FDIC off-site contractors to evaluate their security practices.\n\nThe FDIC has developed and finalized policies and procedures to address the prior report\nrecommendations regarding security in acquisition planning, contract requirements, and\ncontractor oversight. In addition, the FDIC intends to ensure that new contracts contain adequate\nsecurity provisions and plans to evaluate the cost benefit of modifying existing contracts to\ninclude adequate security provisions.\n\nRecommendations\n\nWe did not make recommendations related to acquisition planning or contract security\nrequirements because it was premature to evaluate the effectiveness of the policies and\nprocedures that FDIC recently issued. However, we did recommend that the Acting Director,\nDivision of Information and Resources Management (DIRM), update contractor security\noversight procedures.\n\nManagement Response\n\nThe Acting Director, DIRM, adequately addressed the report recommendations, which are\nconsidered resolved.\n\nThis report addresses issues associated with information security. Accordingly, we have not\nmade, nor do we intend to make, public release of the specific contents of the report.\n\x0c'